Sunday, April 03, 2011

A little while ago I helped get the registry stuff working on images other than XP for Volatility 1.4. There are some differences in how the paths/names of the hives are stored, that I thought I might go over here.

When running the hivelist command from Volatility on an XP or Windows 2003 image, the name of the hive is obtained from the FileFullPath entry above. This is more of a generic name prefixed with "\Device\HarddiskVolume1". There is also a FileUserName entry in _CMHIVE, which may contain the actual path to the hive on disk. Here are a few examples:

Starting with Windows Vista, we have an extra member in _CMHIVE, named HiveRootPath which contains another registry name starting either with (\REGISTRY\MACHINE or \REGISTRY\USER). Here we can see output from a modified hivelist plugin, each hive is separated by asterisks:

You can see that there are a couple of registries that only have HiveRootPath populated (\REGISTRY\MACHINE\SYSTEM and \REGISTRY\MACHINE\HARDWARE). \REGISTRY\MACHINE\HARDWARE is a volatile hive that contains hardware information populated during bootup[1], we will explore this key a bit later... We get the same output for all service packs of Vista as well as Windows 2008 (which is closely related to Vista SP1/2).

For Windows 7 we get slightly different results. Even though FileFullPath is defined in _CMHIVE for Windows 7, it does not appear to be used at all: